This repository contains an example of a VBA macro spawning a process with a spoofed parent and command line. Companion blog post: Building an Office macro to spoof parent processes and command line arguments
Click for full size.
This PoC was tested on Windows 10 with Office Professional Plus 2016, version 1902. It will only work on 32-bit Office versions (on a 32 or 64-bit Windows version). If you have access to a 64-bit Office version and would like to contribute, please do!
The size of the original command line stored in originalCli needs to be greater than the size of the real one stored in cmdStr
- "Red Teaming in the EDR age" by Will Burgess
- https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/
- https://twitter.com/subtee
You are solely responsible for the use you make of this PoC. I assume no liability for any misuse or damage caused by this program.